HIPAA And How It Will Affect Your
Office

The following information was compiled to help you better
understand the HIPAA and to assist your office in becoming
compliant. The information
was obtained from a variety of sources and is not intended to be legal
advice. If you are having
difficulty understanding any portion of the regulations you should
consult your legal counsel.

Section 1: What is the Health Insurance Portability And Accountability Act?

HIPAA stands for The
Health Insurance Portability And Accountability Act. It was enacted by the federal
government in 1996 as part of a health care reform effort. HIPAA is intended to ensure
confidentiality of all patient related health care information. It also intends to simplify the
administrative processes of health care, thereby reducing the costs and
administrative burdens of health care. One thing to remember is
that the HIPAA Act uses the word reasonable several times. You and your office staff must do
whatever reasonable to protect your patient's privacy. For instance, smaller medical
offices do not have to take the same privacy measures as large hospitals
do. That would not be
reasonable. Also, there are no
privacy police. No one is
going to come in and inspect your office randomly. Someone must file a complaint
first. The complaints will be
handled by the Office of Civil Rights. If someone puts in a complaint,
then it will be investigated.
The fines are very high, so you will want to be sure that your
office has good privacy practices and that they are followed all of the
time.

Another thing to keep in
mind is that the type of your practice may determine the level of privacy
that you need to acquire. For
example, patients in an optometrist's office may not be as concerned
about people knowing they are there, as opposed to patient's in a mental
health office.

There are several
different components of HIPAA, each one having its own implementation
date. Section 2: The Privacy Component : implementation
date: April 2002

You must do
everything within reason to protect your patient's privacy.

Patient's files and
information should be kept in a secure section of your office, a section
that is not accessible by other patients.

Charts should not be
left lying around, open where someone can read it.

If you are making a
phone call about a patient or to a patient, you need to do it from an
area where you cannot be overheard if you will be giving out personal
information. For example, if you are calling their insurance company,
and you will be saying the patient's first and last name, date of birth,
ID#, and/or a diagnosis, then you do not want to do it where others,
perhaps in a waiting room, can hear you.

If patient's charts
are ever removed from the office you need to have a policy in place. For
example, you should have a sign out sheet which states the patient's
name, date taken, by whom, and then signed back in when the chart is
returned.

If
charts are removed , they should be carried in a case
that is marked confidential - medical records. If you were ever involved in an
accident, or separated from the bag for any reason, either authorities
or medical personnel would secure the information for you. Or you would have
at least done whatever reasonable to protect that information.

If computer screens are in a position
that patients can view them, you may want to move them, or get a screen
cover. A screen cover makes it so that the
computer screen can only be read when directly in front of it.

The above are just some
things that you will need to consider when becoming HIPAA compliant. Each office will have it's own
areas that need to be reviewed.
The above are many
of the common areas.

Section 3: Administrative Simplification:
compliance date: October 2002 A one year extension
to this compliance date can be requested by filing a form with the
Department of Health and human Services by
10/16/02. This component
requires the standardization of data transmissions, or EDI, and
procedure/diagnosis codes. As for the standardization of procedure/diagnosis codes,
this just means that you must use CPT-4 codes for procedure codes and
ICD-9 codes for diagnosis codes.

As for the
standardization of EDI, that refers to your electronic billing. In order to submit your claims
electronically, you must do so in a HIPAA compliant format.

Section 4: Security Component: no
implementation date set yet This component
requires that health care professionals, Billing Services, and clearing
houses take appropriate security measures to assure that health
information pertaining to an individual remains secure and is not
accessible by others.

Things to consider:

Where is your fax
machine? Is it in a place
where only office staff can access incoming faxes? Is it on 24 hours a day? When you are not in the office
(after office hours) can anyone else access your fax
machine?

Whenever you fax personal information about a
patient you should use a fax cover sheet with a confidentiality
statement. The statement should explain that the following fax contains
personal medical information and that if the fax is received by anyone
other than the intended party, that the fax should be destroyed and they
should notify you that it was received in error.

Do you hire a cleaning person/crew? Are they in
the office when you are not? Do they have access to the patient's
personal information? You may want to ask them to sign a confidentiality
statement.

Do you rent office space? If yes, does your
landlord have access to your office? Do they ever enter your office
without you being present?If they do, you may want to ask them to sign a
confidentiality statement.

By asking people who have access to your office
to sign a confidentiality statement, you are making a reasonable attempt
to protect your patient's privacy. It is not always reasonable to never
allow anyone access to areas that contain private information. If those
people sign an agreement and then breech that agreement, you would not
be held responsible.

If you do any business by email, you will need
to use an encryption service. This will ensure that if anyone were to
intercept your emails, they would not be able to read them.

Section 5: Privacy
Officer

All offices must
designate a mandated privacy officer. This person would be responsible
for making sure all staff are HIPAA trained and that privacy policies are
typed up and followed. They
would also be the person that staff members or patients could go to with
any concerns or questions about HIPAA compliance. Even if you are a very small
practice, you MUST have someone designated as the privacy officer. It may even be the Doctor
herself.

Section 6: Release of Patient
Information/Consent

You need to have the
patient's written consent in order to release any of their
records/information. (Exception: If
request is due to immediate/urgent care of
patient.)

You should review your
current consent and authorization forms to make sure they are HIPAA
compliant. HIPAA requires you
to obtain consent for the use and disclosure of information from each of
your patients. You may refuse
to treat patients who will not sign the consent
form.

Section 7: Unique Identifiers: No
implementation date set yet

HIPAA will mandate the
use of unique identifiers.
More to come on this component. Most likely you will have one
national provider number, instead of a different provider number for each
insurance company.

Section 8: Policies and Procedures
Required by HIPAA

1. Identify people on your staff who require access to
protected health information.

3. Ensure that the minimum necessary amount of
information is released for routine disclosures (only release information
pertaining to what is requested, not the patient's entire file.)

4. Verify the identity of the requester of information.

5. Provide patients access to their records, the
opportunity to request corrections, and access to and accounting of
disclosures.

6. Every office must have written policies
regarding privacy practices.

Summary

Evaluate your physical
office for potential privacy and security risks. One of the best things that you
can do to become ready for HIPAA is to walk through (better yet - have
someone else walk through) your office as if you are a patient. Look around at EVERYTHING. What do you see?
Do you see any personal patient
information, charts in full view?
Start right from the front door, and go through every room in your
office, especially the rooms that patients have access to. Then continue to do periodic
checks to ensure ongoing compliance.

Make sure that you have
written policies regarding any privacy practices, such as removing charts
from the office, faxing patient information, reviewing any complaints from
patients, etc. Also, make
sure you designate a privacy officer.

Remember to train any/all new
employees regarding HIPAA policies.
You should also review your current HIPAA
policies regularly.